The application relates generally to vehicle security systems and more particularly to vehicle security systems that may be activated with remote access devices, such as key fobs, smart phones, Internet appliances, and any other suitable remote access device.
Modern automobiles contain electronic control units and sensors connected to networks. The Controller Area Network (CAN) system was first implemented in 1986 and has become a standard implementation for automobile electronics. Door lock actuators, engine starter, and theft prevention sensors are electronically connected to the same computer network as the automobile diagnostic system. Door locks, engine starter and theft prevention sensors can therefore be commanded from electronic inputs issued into the physical diagnostic port (OBD-II). In some vehicles, this capability is also available remotely by wireless connectivity by a device such as an electronic key fob or a smart phone. There are many legitimate uses for starting an automobile engine and locking or unlocking the doors remotely. There are also many legitimate uses for physically accessing the automobile diagnostic OBD-II port in order to obtain diagnostic information.
FIG. 1 illustrates one example of known vehicle configuration. It will be recognized that other components are also utilized. As shown, a controller area network (CAN) 100 is a network that allows multiple electronic control units located throughout the engine and vehicle to communicate with one another through various links. In addition, the CAN includes a hardware security module which is designed to be tamper proof and therefore difficult for an attacker to access, modify or bypass. Hardware security modules, as known in the art include one or more processors, such as a central processing unit and associated memory wherein the memory stores executable instructions that when executed, cause the processor to perform security operations. An example of security operations currently performed by a vehicle HSM can include work done by the EVITA project. EVITAs goals are:—All Cryptographic operations are inside the HSM: all keys are stored inside the HSM. Keys have usage flags (encrypt, decrypt, sign, verify). An example of a use case may be a Valet Parking Privacy Application. There is secure access and storage of personal usage data in connection with vehicle usage such as information from usage of an infotainment service, or driving activity recording system. Another example may be an activity such as braking in one car can cause activation of brakes in another car. Communication is secured through the HSM.
In another use case, data is sent to a display and is signed by keys stored in the HSM. The vehicle 102 may be, for example, a car, truck, or any other suitable vehicle. The vehicle systems also include one or more local interconnect networks (LIN) 104 that is in communication with the CAN through one or more communication links. The LIN may allow access to door lock actuators 106 and other actuators and devices. The vehicle also includes various sensors 108, theft prevention sensors 110, actuators 112, such as anti-lock brake system actuators, entertainment systems 114, an electronic engine controller 116 that may also be interconnected with other sensors such as emission control sensors, speed sensors, and other sensors 118 as known in the art, and an automobile diagnostic system 120 such as an OBD II system with a diagnostic port 122 such as an OBD-II port. The OBD-II port may be accessed as known in the art to obtain diagnostic information, and other information from the automobile diagnostic system. Users of the vehicle may be assigned a remote access device 124 such as a key fob that has a wireless transceiver to communicate with the vehicle's CAN to unlock doors, open trunks, start the vehicle, and perform other operations.
Defensive systems such as a check for the presence of a physical key have been defeated by the thief's ability to copy the physical key. Defensive systems which check for an electronic signal or digital signature either embedded on the physical key or the remote key fob have also been defeated. Weak implementations of physical and electronic key security have led to malicious physical access to a vehicle.
If an automobile thief is able to gain physical or remote wireless access to the automobile diagnostic electronic system they would be able to issue electronic commands to unlock the doors to allow physical access as well as start the engine. Additionally, in any complex electronic system there is the possibility of implementation flaws that will enable a malicious actor to assume control. Therefore, there is a need for more than one layer of defensive security.
Automobile diagnostic systems will accept commands without authentication. In the future, if automobile diagnostic systems to perform an authentication, the automobile will still not be able to know whether or not the action of authentication was performed by the legitimate automobile operator or the malicious thief Authentication implementation flaws and fundamental weakness of authentication secrets highlight the need for an additional layer of defensive security.
FIG. 2 illustrates an example of a gateway ECU 200 that may be employed as part of the CAN 100. A hardware security module 202 may be employed as part of the gateway ECU or will be connected thereto in a secure manner. The hardware security module includes one or more processors and associated memory that allows software to be executed by the processor to cause the processor to perform operations. The gateway ECU 200 also includes one or more processors 204 and associated memory 206. The gateway ECU 200 may also include a wireless transceiver 201 or be in communication with a wireless transceiver in the vehicle to allow communication to the remote access devices, shown in this example to be a key fob 208, OEM remote access system 210 such as OnStar, or smart phone 212.
It has been proposed to provide symmetric cryptography between the remote access devices and the hardware security module in a gateway ECU to, for example, store a vehicle's certificate which has a unique vehicle ID. In addition, the remote access devices also are manufactured with corresponding symmetric certificates so that the key fob and HSM can perform an authentication operation so that the HSM and the gateway ECU can authenticate, for example, a key fob or other devices using a symmetric key authentication process to identify the key fob as properly corresponding to a particular vehicle so it can be trusted.
However, a problem can arise with such systems since a hacker can obtain this symmetric key based certificate from a key fob and program it into another key fob thereby allowing a hacker to access and steal the vehicle. This is because the vehicle allows access to the diagnostic system once the symmetric key base certificates have authenticated. A parked vehicle, for example, will still allow access to its diagnostic system, for example, through the OBD port. A vehicle may have many access points such as Bluetooth, WiFi, or the OBD port.
It has also been proposed to use an asymmetric public key infrastructure system wherein an OEM may serve, for example, as a root certificate authority (e.g., a server controlled by the OEM) and an HSM authenticates a key fob as being a genuine part of the manufacturer since the manufacturer will issue the public key and private key pair for the HSM and key fob. However, the proposed systems still allow OBD access with a parked vehicle or a vehicle that has been locked with a remote access device.
Also, while a car is driving, electronic systems coordinate with one another to accomplish pre-programmed tasks. If an operator applies the braking system hard under specific circumstances, ABS braking enables the operator to maintain control over steering while carefully balancing break caliper application. Adaptive cruise control enables more intelligence in the driving experience by helping the operator to control throttle and breaks automatically, in coordination with camera sensors. Assisted parallel park logic helps the operator by automating a series of steering movements. These electronic advancements have led to increased safety and convenience for the operator.
If ABS braking or assisted parallel parking were to be applied while at high speed, the results could be catastrophic for the passengers of the automobile. Unfortunately, this scenario is possible due to the electronic connectivity of the automobile's computer network and the trusting nature of the electronic control units. Electronic safety mechanisms can be bypassed and defeated. Most worryingly, unlike a normal personal computer, the amount of time that an attacker might need to apply an electronic denial of service attack, or a timing attack, only needs to be seconds while an automobile is traveling at high speed before an automobile might collide with another vehicle or a roadside fixture.